Re: [spfbis] SPF-checking tool

"Frank Bulk" <frnkblk@iname.com> Thu, 27 February 2020 15:58 UTC

Return-Path: <frnkblk@iname.com>
X-Original-To: spfbis@ietfa.amsl.com
Delivered-To: spfbis@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BDCDC3A0BA1 for <spfbis@ietfa.amsl.com>; Thu, 27 Feb 2020 07:58:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.297
X-Spam-Level:
X-Spam-Status: No, score=-0.297 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, FROM_LOCAL_NOVOWEL=0.5, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=0.999, SPF_FAIL=0.001, URIBL_BLOCKED=0.001, URI_HEX=0.1] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iF3ZI_p6pkDO for <spfbis@ietfa.amsl.com>; Thu, 27 Feb 2020 07:58:28 -0800 (PST)
Received: from premieronline.net (mail.premieronline.net [IPv6:2607:fe28:0:4000::10]) (using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D73CF3A0BA0 for <spfbis@ietf.org>; Thu, 27 Feb 2020 07:58:27 -0800 (PST)
X-Default-Received-SPF: pass (skip=forwardok (res=PASS)) x-ip-name=199.120.69.4; envelope-from=<frnkblk@iname.com>;
Received: from FBULKPC (unverified [199.120.69.4]) by premieronline.net (SurgeMail 7.4f) with ESMTP id 12508003-1729245 for multiple; Thu, 27 Feb 2020 09:56:10 -0600
From: "Frank Bulk" <frnkblk@iname.com>
To: "'Stuart D Gathman'" <stuart@gathman.org>
Cc: <spfbis@ietf.org>, "'Scott Kitterman'" <sklist@kitterman.com>
References: <000001d5ecb6$106efd90$314cf8b0$@iname.com> <alpine.LRH.2.21.2002270235340.2087@mail.gathman.org>
In-Reply-To: <alpine.LRH.2.21.2002270235340.2087@mail.gathman.org>
Date: Thu, 27 Feb 2020 09:56:09 -0600
Message-ID: <000001d5ed86$6e0b90f0$4a22b2d0$@iname.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AdXstTWAX0UO2VeETfGQ8rkT9QwrKgAvbOWAAAIkEGA=
Content-Language: en-us
X-Originating-IP: 199.120.69.4
X-Vpipe: restarted=25 started /var/surgemail/scavs.pl (/var/surgemail/scavs.pl)
X-SpamDetect: : -2.8 sd=-2.8 0.04(X-myrbl:Color=white) 0.74(Received:for multiple) [nnot=1, ng=1, nsum=0, nb=0, nw=1, -6.78]
X-LangGuess: English
X-MyRbl: Color=White (rbl) Age=0 Spam=0 Notspam=0 Stars=0 Good=40 Friend=0 Surbl=0 Catch=0 r=0 ip=199.120.69.4
X-IP-stats: Incoming Last 0, First 107, in=23547, out=0, spam=0 ip=199.120.69.4
Archived-At: <https://mailarchive.ietf.org/arch/msg/spfbis/5_AqnD40TMBFvHgHTGmfCkeTvvU>
Subject: Re: [spfbis] SPF-checking tool
X-BeenThere: spfbis@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SPFbis discussion list <spfbis.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spfbis>, <mailto:spfbis-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spfbis/>
List-Post: <mailto:spfbis@ietf.org>
List-Help: <mailto:spfbis-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spfbis>, <mailto:spfbis-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Feb 2020 15:58:30 -0000

Perhaps I'm using an old version of that Python script, but here are some
examples.  My best guess is that the python script stops as soon as it
passes the check, but doesn't evaluate the whole record.


deerequipment.com: Dmarcian notes "The target name for
"include:spf.protection.outlook.com" equals an already evaluated "include"
mechanism / "redirect" modifier." 

visionnetusa.com: Dmarcian notes "Multiple SPF records found for
"visionnetusa.com". There should only be one."

ghekkonetworks.com: Dmarcian notes "Multiple SPF records found for
"ghekkonetworks.com". There should only be one."

billtrust.com: Dmarcian notes " A DMARC record was detected under
"billtrust.com". DMARC records must be located at "_dmarc.billtrust.com",
and not directly at "billtrust.com". If DMARC was set up as a wildcard
record, that should be removed and placed only at the domain level."

zayo.com: Dmarcian notes "12 DNS lookups required to evaluate the SPF
record. The maximum is 10."
root@nagios:/usr/local/bin/spfcheck# /usr/bin/python spf.py "v=spf1
ip4:66.202.101.250 ip4:65.114.230.67 ip4:64.179.27.250 ip4:64.196.161.5
ip4:13.111.0.0/23 ip4:64.18.0.0/20 ip4:64.151.112.128/28
ip4:64.151.119.32/27 ip4:64.233.160.0/19 ip4:64.235.144.0/20
ip4:66.102.0.0/20 ip4:66.231.95.0/29 ip4:66.249.80.0/20 ip4:67.59.141.128/28
ip4:64.125.230.136/32 ip4:69.43.143.32/27 ip4:69.43.143.96/27
include:spf-0024b301.pphosted.com include:email-od.com
include:_spf.salesforce.com include:_spf.google.com include:aspmx.pardot.com
include:_spf.q4press.com ~all" 66.202.101.250 postmaster@zayo.com
mail.zayo.com
result: ('pass', 250, 'sender SPF authorized') ip4:66.202.101.250
root@nagios:/usr/local/bin/spfcheck#

nocix.net: Dmarcian notes "16 DNS lookups required to evaluate the SPF
record. The maximum is 10."
root@nagios:/usr/local/bin/spfcheck# /usr/bin/python spf.py "v=spf1 mx a
ip4:204.152.38.69/32 ip4:204.152.38.70/32 ip4:204.152.38.77/32
ip4:204.152.38.72/32 a:s101.ndevix.com a:s101.chi.ndevix.com
a:s102.ndevix.com a:s105.ndevix.com a:f0.mx.ndevix.com a:f102.mx.ndevix.com
include:ndevix.com -all" 204.152.38.87 postmaster@nocix.net mail.nocix.net
result: ('pass', 250, 'sender SPF authorized') mx
root@nagios:/usr/local/bin/spfcheck#

tivo.com: Dmarcian notes:
	Error! 30 DNS lookups required to evaluate the SPF record. The
maximum is 10.
	Error! SPF record is present, but invalid.
root@nagios:/usr/local/bin/spfcheck# /usr/bin/python spf.py "v=spf1
include:_spf.tivo.com mx include:authsmtp.com include:stspg-customer.com
include:spf.protection.outlook.com include:aspmx.pardot.com
include:_spf.centercode.com ~all" 204.176.49.0 postmaster@tivo.com
mail.tivo.com
result: ('pass', 250, 'sender SPF authorized') include:_spf.tivo.com
root@nagios:/usr/local/bin/spfcheck#

nex-tech.com: Dmarciate notes: "SPF record is present, but invalid."
root@nagios:/usr/local/bin/spfcheck# /usr/bin/python spf.py "v=spf1
ip4:208.65.144.0/21 ip4:208.81.64.0/21 ip4:24.225.0.0/25
ip4:24.225.11.128/25 ip4:24.225.12.66 ip4:52.240.150.170
include:amazonses.com a:dispatch-us.ppe-hosted.com
include:449074.spf10.hubspotemail.net include:_spf.bigcommerce.com
include:azure.quotevalet.com include:spf.protection.outlook.com a -all"
208.65.144.0 postmaster@nex-tech.com mail.nex-tech.com
result: ('pass', 250, 'sender SPF authorized') ip4:208.65.144.0/21
root@nagios:/usr/local/bin/spfcheck#

atx.com: Dmarcian notes "12 DNS lookups required to evaluate the SPF record.
The maximum is 10."
root@nagios:/usr/local/bin/spfcheck# /usr/bin/python spf.py "v=spf1
include:spf.protection.outlook.com include:aspmx.pardot.com
include:salesforce.com -all" 40.92.0.0 postmaster@atx.com mail.atx.com
result: ('pass', 250, 'sender SPF authorized')
include:spf.protection.outlook.com
root@nagios:/usr/local/bin/spfcheck#

lewisdrug.com: Dmarciante notes:
	Error! 13 DNS lookups required to evaluate the SPF record. The
maximum is 10.
	Error! SPF record is present, but invalid.
root@nagios:/usr/local/bin/spfcheck# /usr/bin/python spf.py "v=spf1 mx a
ip4:216.12.181.71/32 ip4:216.12.181.72/32 include:_spf.google.com
include:spf.createsend.com include:_netblocks.mimecast.com ~all"
207.211.30.221 postmaster@lewisdrug.com mail.lewisdrug.com
result: ('pass', 250, 'sender SPF authorized') mx
root@nagios:/usr/local/bin/spfcheck#


Frank 

-----Original Message-----
From: Stuart D Gathman <stuart@gathman.org> 
Sent: Thursday, February 27, 2020 1:36 AM
To: Frank Bulk <frnkblk@iname.com>
Cc: spfbis@ietf.org
Subject: Re: [spfbis] SPF-checking tool

On Wed, 26 Feb 2020, Frank Bulk wrote:

> I currently use kitterman's script, but it doesn't catch all the issues
that
> Dmarcian does and so there's a number of domains that have issues but I'm
> not alerting on them. Dmarcian doesn't appear to have an API or
downloadable
> version of their tool that I can run.

Are you checking DMARC, or SPF?

If SPF, can you give an example of an incorrect policy that is not
flagged?